Our blog 

Get the very latest updates about recent projects, team updates, thoughts and industry news from our team of EngineerBetter experts.

Yubikeys for Two-Factor Auth

Dec 5, 2017| Paddy Steed

If you’re amassing a plethora of user accounts that require two-factor authentication (2FA) and let’s face it, you should, then you’ll be pleased to learn how you can use a USB Yubikey to avoid having to type in as many one-time-passwords (OTPs).

Two-Factor Authentication with One-Time Passwords

A user’s login procedure using a traditional OTP is usually something like this:

Navigate to example.com

Enter username and password

Receive prompt for OTP

Read short numeric code from OTP generator

Type OTP into web page

Enabling 2FA on your online accounts is a huge improvement on using static passwords alone. However, it makes the most common form of account compromise only marginally more difficult.

OTP and phishing

According to research by Google, phishing is by far the most common way for an online account to be compromised.
Phishing attacks were responsible for John Podesta’s email getting hacked. They were responsible for Hillary Clinton’s campaign emails being hacked.
Even if you are a Republican you are still not safe, as Sarah Palin’s email account was hacked via a phishing attack.

Despite what the victims will tell you, these attacks are not sophisticated and they don’t require “state sponsorship”.
The industry standard advice seems to be to train staff to recognise phishing attacks.
This is expensive and companies that do this still get phished.

If the user is tricked into entering their login details on a phishing site then OTP 2FA does no good.
They will have given their password and OTP to the phishing site, which can then forward that on to the real site and impersonate the user.
The only frustration OTPs provide to an attacker attempting this is they have a short window to forward those credentials before the OTP is expired.
In practice this is not an issue as the easiest way of phishing a site is setting up a reverse proxy to it, in which case the credentials are forwarded in real time.

The U2F alternative

When using a certified U2F device, a user’s experience goes like this:

Navigate to example.com

Enter username and password

Touch U2F device

A lot happens when that device is pressed.
The U2F device signs a message containing a random string from the server, the server’s address from the browser’s perspective, and some other things.
The browser then forwards that signature to the server.

Your Yubikey is also a U2F device.
An increasing number of sites support U2F.
This is the most user-friendly way to use a Yubikey as your 2FA device.
The latest versions of Chrome, Opera and Firefox support U2F. However, in Firefox it is not enabled by default, and you must enable the following options in the about:config page:

Falling back to Time-based OTP

AWS supports the TOTP standard.
It is not possible for a smart card with no battery to implement TOTP by itself, as this requires a realtime clock.

Thankfully, you can use the Yubico Authenticator app to generate TOTP tokens from the secrets on your Yubikey. You can store up to 32 different TOTP accounts on your Yubikey. Nothing is stored on the computer you use. You can insert your Yubikey into any machine with the Yubico Authenticator installed, and all your TOTP tokens will be available.

Why U2F?

Google performed a two-year study on U2F devices, which are widely deployed within Google. They found that, compared with an app-based OTP like Google Authenticator, users authenticated faster using a U2F device. U2F devices were inherently less susceptible to MitM attacks, and users raised support tickets for authentication problems far less frequently.

An increasing number of sites support U2F. It is more secure, and users are able to authenticate faster compared with any other 2FA method.